Defect #8068
closedLDAP Authentificaton doesn't verify certificate validity
0%
Description
Security-Bug:
LDAP Authentificaton doesn't verify certificate validity of the LDAP-server-certificate. Connection to the LDAP-Server with LDAPS is established, even if the server name in the certifitcate doesn't match or the certificate authority is not trustful.
Solution: If something is wrong with the certificate, or the certificate authority is not trustful, the connection to the LDAP-Server should be closed and any LDAP-Login should be disabled.
Related issues
Updated by Ruben Kruiswijk over 13 years ago
A possible 'fix' should be made optional. Not every company uses certificates issued by official certificate authorities. Their are enough self-signed certificates that still have to work.
Updated by Tony Edmonds over 13 years ago
Whether the certificate is self-signed, signed by an in-house CA, or signed by an "official" CA, doesn't matter. Redmine should attempt to check the validity of the cert against information on the local machine. Nothing about a self-signed cert precludes this.
Updated by Tony Edmonds over 13 years ago
I can't work out how to fix this myself, but one possible workaround is to use socat to proxy the LDAP port (389) on localhost to the real LDAPS service, validating the certificate along the way.
socat TCP4-LISTEN:389,bind=localhost,reuseaddr,fork,su=nobody OPENSSL:ldapserver.example.com:636,cafile=/etc/ssl/certs/ldapcert.pem &
Then point Redmine to localhost for LDAP (non TLS).
Updated by ciaran jessup over 7 years ago
The 'fix' (which should really be on by default or you could be sending your passwords anywhere :/) can be made by changing
source:trunk/app/models/auth_source_ldap.rb@16773#L147
to something along the lines of
:encryption => {
method: :simple_tls,
tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
}
(note I've removed the optional check of self.tls, this is purely for reference purposes!!!)
If the change above is made then the certificate will be verified correctly, if the certificate is self signed or not available in the operating system's certificate stores for some other reason then the instructions here explain how to install the relevant certificate.
Updated by Go MAEDA about 6 years ago
- Status changed from New to Closed
- Resolution set to Fixed
Resolved by r16773. The latest version of net-ldap verifies certificates by default.
Updated by Go MAEDA about 6 years ago
- Related to Defect #24970: Net::LDAP::LdapError is deprecated added
Updated by Go MAEDA about 6 years ago
- Related to Patch #29606: Support self-signed LDAPS connections added